mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 00:48:10 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

refactor(profiles): use @{bin} and @{lib} in profiles (5)

Browse source
This commit is contained in:
Alexandre Pujol 2023-07-09 14:34:42 +01:00
parent 43b0f09b65
commit fcedbbfd95
Failed to generate hash of commit
122 changed files with 873 additions and 876 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

52
apparmor.d/profiles-g-l/gajim
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/gajim
@{exec_path} = @{bin}/gajim
profile gajim @{exec_path} {
include <abstractions/base>
include <abstractions/dconf-write>
@ -35,27 +35,27 @@ profile gajim @{exec_path} {
@{exec_path} r,
/{usr/,}bin/ r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/uname rix,
/{usr/,}{s,}bin/ldconfig rix,
@{bin}/ r,
@{bin}/{,ba,da}sh rix,
@{bin}/ldconfig rix,
@{bin}/uname rix,
# To play sounds
/{usr/,}bin/aplay rix,
/{usr/,}bin/pacat rix,
@{bin}/aplay rix,
@{bin}/pacat rix,
# Needed for GPG/PGP support
/{usr/,}bin/gpg{,2} rCx -> gpg,
/{usr/,}bin/gpgconf rCx -> gpg,
/{usr/,}bin/gpgsm rCx -> gpg,
@{bin}/gpg{,2} rCx -> gpg,
@{bin}/gpgconf rCx -> gpg,
@{bin}/gpgsm rCx -> gpg,
/{usr/,}bin/ccache rCx -> ccache,
/{usr/,}bin/{,@{multiarch}-}ld.bfd rCx -> ccache,
@{bin}/ccache rCx -> ccache,
@{bin}/{,@{multiarch}-}ld.bfd rCx -> ccache,
# External apps
/{usr/,}bin/xdg-settings rPx,
/{usr/,}lib/firefox/firefox rPx,
/{usr/,}bin/spacefm rPx,
@{bin}/xdg-settings rPx,
@{lib}/firefox/firefox rPx,
@{bin}/spacefm rPx,
# Gajim plugins
/usr/share/gajim/plugins/{,**} r,
@ -99,13 +99,13 @@ profile gajim @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
/{usr/,}bin/ccache mr,
@{bin}/ccache mr,
/{usr/,}lib/llvm-[0-9]*/bin/clang rix,
/{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix,
/{usr/,}bin/{,@{multiarch}-}g++-[0-9]* rix,
/{usr/,}bin/{,@{multiarch}-}ld.bfd rix,
/{usr/,}lib/gcc/@{multiarch}/[0-9]*/collect2 rix,
@{lib}/llvm-[0-9]*/bin/clang rix,
@{bin}/{,@{multiarch}-}gcc-[0-9]* rix,
@{bin}/{,@{multiarch}-}g++-[0-9]* rix,
@{bin}/{,@{multiarch}-}ld.bfd rix,
@{lib}/gcc/@{multiarch}/[0-9]*/collect2 rix,
owner /tmp/cc* rw,
owner /tmp/tmp* rw,
@ -121,12 +121,12 @@ profile gajim @{exec_path} {
profile gpg {
include <abstractions/base>
/{usr/,}bin/gpg{,2} mr,
/{usr/,}bin/gpgconf mr,
/{usr/,}bin/gpgsm mr,
@{bin}/gpg{,2} mr,
@{bin}/gpgconf mr,
@{bin}/gpgsm mr,
/{usr/,}bin/gpg-agent rix,
/{usr/,}lib/gnupg/scdaemon rix,
@{bin}/gpg-agent rix,
@{lib}/gnupg/scdaemon rix,
owner @{run}/user/@{uid}/gnupg/d.*/ rw,
owner @{run}/user/@{uid}/gnupg/d.*/S.gpg-agent{,.extra,.browser,.ssh} w,

6
apparmor.d/profiles-g-l/games-wesnoth-sh
View file

@ -11,13 +11,13 @@ profile games-wesnoth-sh @{exec_path} {
include <abstractions/base>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/usr/games/wesnoth{,-[0-9]*} rPx,
# For the editor
/{usr/,}bin/basename rix,
/{usr/,}bin/sed rix,
@{bin}/basename rix,
@{bin}/sed rix,
# file_inherit
owner @{HOME}/.xsession-errors w,

48
apparmor.d/profiles-g-l/ganyremote
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/ganyremote
@{exec_path} = @{bin}/ganyremote
profile ganyremote @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -23,33 +23,33 @@ profile ganyremote @{exec_path} {
network inet6 stream,
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* r,
@{bin}/python3.[0-9]* r,
/{usr/,}bin/ r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/id rix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/tr rix,
/{usr/,}bin/{m,g,}awk rix,
@{bin}/ r,
@{bin}/{,ba,da}sh rix,
@{bin}/rm rix,
@{bin}/{,e}grep rix,
@{bin}/cut rix,
@{bin}/id rix,
@{bin}/which{,.debianutils} rix,
@{bin}/tr rix,
@{bin}/{m,g,}awk rix,
/{usr/,}bin/anyremote rPx,
/{usr/,}bin/ps rPx,
@{bin}/anyremote rPx,
@{bin}/ps rPx,
/{usr/,}bin/killall rCx -> killall,
/{usr/,}bin/pgrep rCx -> pgrep,
@{bin}/killall rCx -> killall,
@{bin}/pgrep rCx -> pgrep,
/{usr/,}bin/pacmd rPUx,
/{usr/,}bin/pactl rPUx,
@{bin}/pacmd rPUx,
@{bin}/pactl rPUx,
# Players
/{usr/,}bin/smplayer rPUx,
/{usr/,}bin/amarok rPUx,
/{usr/,}bin/vlc rPUx,
/{usr/,}bin/mpv rPUx,
/{usr/,}bin/strawberry rPUx,
@{bin}/smplayer rPUx,
@{bin}/amarok rPUx,
@{bin}/vlc rPUx,
@{bin}/mpv rPUx,
@{bin}/strawberry rPUx,
owner @{HOME}/ r,
owner @{HOME}/.anyRemote/{,*} rw,
@ -79,7 +79,7 @@ profile ganyremote @{exec_path} {
ptrace (read),
/{usr/,}bin/killall mr,
@{bin}/killall mr,
# The /proc/ dir is needed to avoid the following error:
# /proc: Permission denied
@ -92,7 +92,7 @@ profile ganyremote @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
/{usr/,}bin/pgrep mr,
@{bin}/pgrep mr,
# The /proc/ dir and the cmdline file have to be radable to avoid pgrep segfault.
@{PROC}/ r,

2
apparmor.d/profiles-g-l/gconfd
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/@{multiarch}/gconf/gconfd-[0-9]
@{exec_path} = @{lib}/@{multiarch}/gconf/gconfd-[0-9]
profile gconfd @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>

2
apparmor.d/profiles-g-l/gdisk
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/gdisk
@{exec_path} = @{bin}/gdisk
profile gdisk @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>

6
apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/gdk-pixbuf-query-loaders
@{exec_path} = @{bin}/gdk-pixbuf-query-loaders
profile gdk-pixbuf-query-loaders @{exec_path} {
include <abstractions/base>
@ -15,8 +15,8 @@ profile gdk-pixbuf-query-loaders @{exec_path} {
@{exec_path} mr,
/{usr/,}lib/gdk-pixbuf-[0-9].[0-9]*/{,*}/loaders.cache.* rw,
/{usr/,}lib/gdk-pixbuf-[0-9].[0-9]*/*/loaders.cache rw,
@{lib}/gdk-pixbuf-[0-9].[0-9]*/{,*}/loaders.cache.* rw,
@{lib}/gdk-pixbuf-[0-9].[0-9]*/*/loaders.cache rw,
include if exists <local/gdk-pixbuf-query-loaders>
}

6
apparmor.d/profiles-g-l/gio-querymodules
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/gio-querymodules
@{exec_path} = @{bin}/gio-querymodules
profile gio-querymodules @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/openssl>
@ -16,8 +16,8 @@ profile gio-querymodules @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/{usr/,}lib/gtk-{3,4}.0/**/giomodule.cache{,.[0-9A-Z]*} w,
/{usr/,}lib/gio/modules/giomodule.cache{,.[0-9A-Z]*} w,
@{lib}/gtk-{3,4}.0/**/giomodule.cache{,.[0-9A-Z]*} w,
@{lib}/gio/modules/giomodule.cache{,.[0-9A-Z]*} w,
deny /apparmor/.null rw,

90
apparmor.d/profiles-g-l/git
View file

@ -7,13 +7,11 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/git
@{exec_path} += /{usr/,}bin/git-*
@{exec_path} += /{usr/,}lib/git-core/git
@{exec_path} += /{usr/,}lib/git-core/git-*
@{exec_path} += @{libexec}/git-core/git
@{exec_path} += @{libexec}/git-core/git-*
@{exec_path} += @{libexec}/git-core/mergetools/*
@{exec_path} = @{bin}/git
@{exec_path} += @{bin}/git-*
@{exec_path} += @{lib}/git-core/git
@{exec_path} += @{lib}/git-core/git-*
@{exec_path} += @{lib}/git-core/mergetools/*
profile git @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -34,47 +32,47 @@ profile git @{exec_path} {
# When you mistype a command, git checks the $PATH variable and search its exec dirs to give you
# the most similar commands, which it thinks can be used instead. Git binaries are all under
# /usr/bin/ , so allow only this location.
/{usr/,}bin/ r,
@{bin}/ r,
deny /{usr/,}sbin/ r,
deny /usr/local/{s,}bin/ r,
deny /usr/games/ r,
deny /usr/local/games/ r,
# These are needed for "git submodule update"
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/date rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/envsubst rix,
/{usr/,}bin/gettext rix,
/{usr/,}bin/gettext.sh rix,
/{usr/,}bin/hostname rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/uname rix,
/{usr/,}bin/wc rix,
/{usr/,}bin/whoami rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{,e}grep rix,
@{bin}/basename rix,
@{bin}/cat rix,
@{bin}/cat rix,
@{bin}/date rix,
@{bin}/dirname rix,
@{bin}/envsubst rix,
@{bin}/gettext rix,
@{bin}/gettext.sh rix,
@{bin}/hostname rix,
@{bin}/mkdir rix,
@{bin}/mv rix,
@{bin}/rm rix,
@{bin}/sed rix,
@{bin}/uname rix,
@{bin}/wc rix,
@{bin}/whoami rix,
/{usr/,}bin/pager rPx -> child-pager,
/{usr/,}bin/less rPx -> child-pager,
/{usr/,}bin/more rPx -> child-pager,
@{bin}/pager rPx -> child-pager,
@{bin}/less rPx -> child-pager,
@{bin}/more rPx -> child-pager,
/{usr/,}bin/man rPx,
/{usr/,}bin/meld rPUx,
/{usr/,}lib/code/extensions/git/dist/askpass.sh rPx,
/{usr/,}lib/code/extensions/git/dist/git-editor.sh rPx,
@{bin}/man rPx,
@{bin}/meld rPUx,
@{lib}/code/extensions/git/dist/askpass.sh rPx,
@{lib}/code/extensions/git/dist/git-editor.sh rPx,
/usr/share/aurpublish/*.hook rPx,
/{usr/,}bin/gpg{,2} rCx -> gpg,
/{usr/,}bin/ssh rCx -> ssh,
/{usr/,}bin/sensible-editor rCx -> editor,
/{usr/,}bin/vim rCx -> editor,
/{usr/,}bin/vim.* rCx -> editor,
@{bin}/gpg{,2} rCx -> gpg,
@{bin}/ssh rCx -> ssh,
@{bin}/sensible-editor rCx -> editor,
@{bin}/vim rCx -> editor,
@{bin}/vim.* rCx -> editor,
/usr/share/git-core/{,**} r,
/usr/share/terminfo/x/xterm-256color r,
@ -108,8 +106,8 @@ profile git @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
/{usr/,}bin/gpg{,2} mr,
/{usr/,}bin/gpg-agent rPx,
@{bin}/gpg{,2} mr,
@{bin}/gpg-agent rPx,
owner @{HOME}/@{XDG_GPG_DIR}/ rw,
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
@ -132,7 +130,7 @@ profile git @{exec_path} {
network inet6 stream,
network netlink raw,
/{usr/,}bin/ssh mr,
@{bin}/ssh mr,
/etc/ssh/ssh_config.d/{,*} r,
/etc/ssh/ssh_config r,
@ -162,11 +160,11 @@ profile git @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
/{usr/,}bin/sensible-editor mr,
/{usr/,}bin/vim mrix,
/{usr/,}bin/vim.* mrix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/which{,.debianutils} rix,
@{bin}/sensible-editor mr,
@{bin}/vim mrix,
@{bin}/vim.* mrix,
@{bin}/{,ba,da}sh rix,
@{bin}/which{,.debianutils} rix,
/usr/share/vim/{,**} r,
/usr/share/terminfo/x/xterm-256color r,

4
apparmor.d/profiles-g-l/glib-compile-resources
View file

@ -6,13 +6,13 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/glib-compile-resources
@{exec_path} = @{bin}/glib-compile-resources
profile glib-compile-resources @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/{usr/,}bin/xmllint rix,
@{bin}/xmllint rix,
/tmp/resource-* rw,

2
apparmor.d/profiles-g-l/glib-compile-schemas
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/glib-compile-schemas
@{exec_path} = @{bin}/glib-compile-schemas
profile glib-compile-schemas @{exec_path} {
include <abstractions/base>

2
apparmor.d/profiles-g-l/glib-pacrunner
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/glib-pacrunner
@{exec_path} = @{lib}/glib-pacrunner
profile glib-pacrunner @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>

2
apparmor.d/profiles-g-l/globaltime
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/globaltime
@{exec_path} = @{bin}/globaltime
profile globaltime @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>

2
apparmor.d/profiles-g-l/glxgears
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/glxgears
@{exec_path} = @{bin}/glxgears
profile glxgears @{exec_path} {
include <abstractions/base>
include <abstractions/dri-common>

2
apparmor.d/profiles-g-l/glxinfo
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/glxinfo
@{exec_path} = @{bin}/glxinfo
profile glxinfo @{exec_path} {
include <abstractions/base>
include <abstractions/dri-common>

12
apparmor.d/profiles-g-l/gpa
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/gpa
@{exec_path} = @{bin}/gpa
profile gpa @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
@ -18,10 +18,10 @@ profile gpa @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/gpgconf rPx,
/{usr/,}bin/gpg-connect-agent rPx,
/{usr/,}bin/gpg{,2} rPx,
/{usr/,}bin/gpgsm rPx,
@{bin}/gpgconf rPx,
@{bin}/gpg-connect-agent rPx,
@{bin}/gpg{,2} rPx,
@{bin}/gpgsm rPx,
/usr/share/gpa/{,*} r,
@ -45,7 +45,7 @@ profile gpa @{exec_path} {
owner /tmp/xauth-[0-9]*-_[0-9] r,
# External apps
/{usr/,}lib/firefox/firefox rPUx,
@{lib}/firefox/firefox rPUx,
# file_inherit
owner /dev/tty[0-9]* rw,

50
apparmor.d/profiles-g-l/gparted
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/gparted
@{exec_path} = @{bin}/gparted
profile gparted @{exec_path} {
include <abstractions/base>
@ -15,34 +15,34 @@ profile gparted @{exec_path} {
@{exec_path} r,
/{usr/,}{s,}bin/ r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/id rix,
/{usr/,}bin/ls rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/pidof rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/touch rix,
@{bin}/ r,
@{bin}/{,ba,da}sh rix,
@{bin}/{,e}grep rix,
@{bin}/{m,g,}awk rix,
@{bin}/cut rix,
@{bin}/id rix,
@{bin}/ls rix,
@{bin}/mkdir rix,
@{bin}/pidof rix,
@{bin}/rm rix,
@{bin}/sed rix,
@{bin}/touch rix,
/{usr/,}{s,}bin/gpartedbin rPx,
@{libexec}/gparted/gpartedbin rPx,
@{libexec}/gpartedbin rPx,
@{bin}/gpartedbin rPx,
@{lib}/gparted/gpartedbin rPx,
@{lib}/gpartedbin rPx,
@{libexec}/{,udisks2/}udisks2-inhibit rix,
@{lib}/{,udisks2/}udisks2-inhibit rix,
@{run}/udev/rules.d/ rw,
@{run}/udev/rules.d/90-udisks-inhibit.rules rw,
/{usr/,}bin/udevadm rCx -> udevadm,
/{usr/,}{s,}bin/killall5 rCx -> killall,
@{bin}/udevadm rCx -> udevadm,
@{bin}/killall5 rCx -> killall,
/{usr/,}bin/ps rPx,
/{usr/,}bin/xhost rPx,
/{usr/,}bin/pkexec rPx,
/{usr/,}bin/systemctl rPx -> child-systemctl,
@{bin}/ps rPx,
@{bin}/xhost rPx,
@{bin}/pkexec rPx,
@{bin}/systemctl rPx -> child-systemctl,
# For shell pwd
/ r,
@ -63,7 +63,7 @@ profile gparted @{exec_path} {
ptrace (read),
/{usr/,}bin/udevadm mr,
@{bin}/udevadm mr,
/etc/udev/udev.conf r,
@ -91,7 +91,7 @@ profile gparted @{exec_path} {
ptrace (read),
/{usr/,}{s,}bin/killall5 mr,
@{bin}/killall5 mr,
# The /proc/ dir is needed to avoid the following error:
# /proc: Permission denied

82
apparmor.d/profiles-g-l/gpartedbin
View file

@ -7,9 +7,9 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/gpartedbin
@{exec_path} += @{libexec}/gpartedbin
@{exec_path} += @{libexec}/gparted/gpartedbin
@{exec_path} = @{bin}/gpartedbin
@{exec_path} += @{lib}/gpartedbin
@{exec_path} += @{lib}/gparted/gpartedbin
profile gpartedbin @{exec_path} {
include <abstractions/base>
include <abstractions/dconf-write>
@ -30,45 +30,45 @@ profile gpartedbin @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}{s,}bin/blkid rPx,
/{usr/,}{s,}bin/dmidecode rPx,
/{usr/,}{s,}bin/hdparm rPx,
/{usr/,}bin/kmod rPx,
@{bin}/blkid rPx,
@{bin}/dmidecode rPx,
@{bin}/hdparm rPx,
@{bin}/kmod rPx,
/{usr/,}bin/mount rCx -> mount,
/{usr/,}bin/udevadm rCx -> udevadm,
/{usr/,}bin/umount rCx -> umount,
@{bin}/mount rCx -> mount,
@{bin}/udevadm rCx -> udevadm,
@{bin}/umount rCx -> umount,
/{usr/,}{s,}bin/dmraid rPUx,
/{usr/,}{s,}bin/dmsetup rPUx,
/{usr/,}{s,}bin/dumpe2fs rPx,
/{usr/,}{s,}bin/e2fsck rPx,
/{usr/,}{s,}bin/e2image rPx,
/{usr/,}{s,}bin/fsck.btrfs rPx,
/{usr/,}{s,}bin/fsck.fat rPx,
/{usr/,}{s,}bin/lvm rPUx,
/{usr/,}{s,}bin/mke2fs rPx,
/{usr/,}{s,}bin/mkntfs rPx,
/{usr/,}{s,}bin/mkswap rPx,
/{usr/,}{s,}bin/ntfslabel rPx,
/{usr/,}{s,}bin/ntfsresize rPx,
/{usr/,}{s,}bin/resize2fs rPx,
/{usr/,}{s,}bin/swaplabel rPx,
/{usr/,}{s,}bin/swapoff rPx,
/{usr/,}{s,}bin/swapon rPx,
/{usr/,}{s,}bin/tune2fs rPx,
/{usr/,}bin/btrfs rPx,
/{usr/,}bin/btrfstune rPx,
/{usr/,}bin/mdadm rPUx,
/{usr/,}bin/mkfs.* rPx,
/{usr/,}bin/mtools rPx,
/{usr/,}bin/ntfsinfo rPx,
/{usr/,}bin/xfs_io rPUx,
@{bin}/btrfs rPx,
@{bin}/btrfstune rPx,
@{bin}/dmraid rPUx,
@{bin}/dmsetup rPUx,
@{bin}/dumpe2fs rPx,
@{bin}/e2fsck rPx,
@{bin}/e2image rPx,
@{bin}/fsck.btrfs rPx,
@{bin}/fsck.fat rPx,
@{bin}/lvm rPUx,
@{bin}/mdadm rPUx,
@{bin}/mke2fs rPx,
@{bin}/mkfs.* rPx,
@{bin}/mkntfs rPx,
@{bin}/mkswap rPx,
@{bin}/mtools rPx,
@{bin}/ntfsinfo rPx,
@{bin}/ntfslabel rPx,
@{bin}/ntfsresize rPx,
@{bin}/resize2fs rPx,
@{bin}/swaplabel rPx,
@{bin}/swapoff rPx,
@{bin}/swapon rPx,
@{bin}/tune2fs rPx,
@{bin}/xfs_io rPUx,
/{usr/,}bin/xdg-open rCx -> child-open,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> child-open,
@{bin}/xdg-open rCx -> child-open,
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> child-open,
@{HOME}/.Xauthority r,
owner @{HOME}/*.htm w,
@ -98,7 +98,7 @@ profile gpartedbin @{exec_path} {
mount /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/,
mount /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/,
/{usr/,}bin/mount mr,
@{bin}/mount mr,
@{sys}/devices/pci[0-9]*/**/block/{s,v}d[a-z]/ r,
@{sys}/devices/pci[0-9]*/**/block/{s,v}d[a-z]/dev r,
@ -121,7 +121,7 @@ profile gpartedbin @{exec_path} {
umount @{MOUNTS}/,
umount @{MOUNTS}/*/,
/{usr/,}bin/umount mr,
@{bin}/umount mr,
owner @{run}/mount/ rw,
owner @{run}/mount/utab{,.*} rw,
@ -137,7 +137,7 @@ profile gpartedbin @{exec_path} {
ptrace (read),
/{usr/,}bin/udevadm mr,
@{bin}/udevadm mr,
/etc/udev/udev.conf r,

2
apparmor.d/profiles-g-l/gpasswd
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/gpasswd
@{exec_path} = @{bin}/gpasswd
profile gpasswd @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

4
apparmor.d/profiles-g-l/gping
View file

@ -6,14 +6,14 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/gping
@{exec_path} = @{bin}/gping
profile gping @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
/{usr/,}bin/ping rPx,
@{bin}/ping rPx,
include if exists <local/gping>
}

16
apparmor.d/profiles-g-l/gpo
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/gpo
@{exec_path} = @{bin}/gpo
profile gpo @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -22,14 +22,14 @@ profile gpo @{exec_path} {
network inet6 stream,
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* r,
@{bin}/python3.[0-9]* r,
/{usr/,}bin/ r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/uname rix,
/{usr/,}bin/pager rPx -> child-pager,
/{usr/,}bin/less rPx -> child-pager,
/{usr/,}bin/more rPx -> child-pager,
@{bin}/ r,
@{bin}/{,ba,da}sh rix,
@{bin}/uname rix,
@{bin}/pager rPx -> child-pager,
@{bin}/less rPx -> child-pager,
@{bin}/more rPx -> child-pager,
owner @{PROC}/@{pid}/fd/ r,

38
apparmor.d/profiles-g-l/gpodder
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/gpodder
@{exec_path} = @{bin}/gpodder
profile gpodder @{exec_path} {
include <abstractions/base>
include <abstractions/freedesktop.org>
@ -26,11 +26,11 @@ profile gpodder @{exec_path} {
network netlink raw,
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* r,
@{bin}/python3.[0-9]* r,
/{usr/,}bin/ r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/uname rix,
@{bin}/ r,
@{bin}/{,ba,da}sh rix,
@{bin}/uname rix,
owner @{HOME}/ r,
owner @{HOME}/gPodder/ rw,
@ -50,18 +50,18 @@ profile gpodder @{exec_path} {
/usr/share/*/*.desktop r,
/{usr/,}bin/xdg-settings rPUx,
@{bin}/xdg-settings rPUx,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open,
@{bin}/xdg-open rCx -> open,
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open,
# A/V players
/{usr/,}bin/smplayer rPUx,
/{usr/,}bin/vlc rPUx,
/{usr/,}bin/mpv rPUx,
@{bin}/smplayer rPUx,
@{bin}/vlc rPUx,
@{bin}/mpv rPUx,
# Open in a web browser
/{usr/,}lib/firefox/firefox rPUx,
@{lib}/firefox/firefox rPUx,
# file_inherit
owner /dev/tty[0-9]* rw,
@ -71,20 +71,20 @@ profile gpodder @{exec_path} {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
@{bin}/xdg-open mr,
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
@{lib}/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,

10
apparmor.d/profiles-g-l/gpodder-migrate2tres
View file

@ -6,17 +6,17 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/gpodder-migrate2tres
@{exec_path} = @{bin}/gpodder-migrate2tres
profile gpodder-migrate2tres @{exec_path} {
include <abstractions/base>
include <abstractions/python>
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* r,
@{bin}/python3.[0-9]* r,
/{usr/,}bin/ r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/uname rix,
@{bin}/ r,
@{bin}/{,ba,da}sh rix,
@{bin}/uname rix,
owner @{PROC}/@{pid}/fd/ r,

4
apparmor.d/profiles-g-l/groupadd
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/groupadd
@{exec_path} = @{bin}/groupadd
profile groupadd @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -20,7 +20,7 @@ profile groupadd @{exec_path} {
network netlink raw,
@{exec_path} mr,
/{usr/,}{s,}bin/nscd rix,
@{bin}/nscd rix,
/etc/login.defs r,

4
apparmor.d/profiles-g-l/groupdel
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/groupdel
@{exec_path} = @{bin}/groupdel
profile groupdel @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -22,7 +22,7 @@ profile groupdel @{exec_path} {
network netlink raw,
@{exec_path} mr,
/{usr/,}{s,}bin/nscd rix,
@{bin}/nscd rix,
/etc/login.defs r,

2
apparmor.d/profiles-g-l/groupmod
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/groupmod
@{exec_path} = @{bin}/groupmod
profile groupmod @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/profiles-g-l/groups
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/groups
@{exec_path} = @{bin}/groups
profile groups @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/profiles-g-l/grpck
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/grpck
@{exec_path} = @{bin}/grpck
profile grpck @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>

2
apparmor.d/profiles-g-l/gsettings
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/gsettings
@{exec_path} = @{bin}/gsettings
profile gsettings @{exec_path} {
include <abstractions/base>
include <abstractions/dconf-write>

2
apparmor.d/profiles-g-l/gsimplecal
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/gsimplecal
@{exec_path} = @{bin}/gsimplecal
profile gsimplecal @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>

24
apparmor.d/profiles-g-l/gsmartcontrol
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/gsmartcontrol
@{exec_path} = @{bin}/gsmartcontrol
profile gsmartcontrol @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
@ -22,8 +22,8 @@ profile gsmartcontrol @{exec_path} {
@{exec_path} mr,
/{usr/,}{s,}bin/smartctl rPx,
/{usr/,}bin/xterm rCx -> terminal,
@{bin}/smartctl rPx,
@{bin}/xterm rCx -> terminal,
# When gsmartcontrol is run as root, it wants to exec dbus-launch, and hence it creates the two
# following root processes:
@ -31,10 +31,10 @@ profile gsmartcontrol @{exec_path} {
# /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session
#
# Should this be allowed? Gsmartcontrol works fine without this.
#/{usr/,}bin/dbus-launch rCx -> dbus,
#/{usr/,}bin/dbus-send rCx -> dbus,
deny /{usr/,}bin/dbus-launch rx,
deny /{usr/,}bin/dbus-send rx,
#@{bin}/dbus-launch rCx -> dbus,
#@{bin}/dbus-send rCx -> dbus,
deny @{bin}/dbus-launch rx,
deny @{bin}/dbus-send rx,
owner @{user_config_dirs}/gsmartcontrol/ rw,
owner @{user_config_dirs}/gsmartcontrol/gsmartcontrol.conf rw,
@ -62,16 +62,16 @@ profile gsmartcontrol @{exec_path} {
# The Help menu (and links in it) requires access to a web browser. Since gsmartcontrol is run as
# root (even when used sudo or gsmartcontrol-root), the web browser will also be run as root and
# hence this behavior should be blocked.
deny /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rx,
deny @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rx,
profile dbus {
include <abstractions/base>
include <abstractions/nameservice-strict>
/{usr/,}bin/dbus-launch mr,
/{usr/,}bin/dbus-send mr,
/{usr/,}bin/dbus-daemon rPUx,
@{bin}/dbus-launch mr,
@{bin}/dbus-send mr,
@{bin}/dbus-daemon rPUx,
# for dbus-launch
owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,
@ -89,7 +89,7 @@ profile gsmartcontrol @{exec_path} {
capability setgid,
capability fsetid,
/{usr/,}bin/xterm mr,
@{bin}/xterm mr,
/usr/sbin/update-smart-drivedb rPx,

8
apparmor.d/profiles-g-l/gsmartcontrol-root
View file

@ -6,17 +6,17 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/gsmartcontrol-root
@{exec_path} = @{bin}/gsmartcontrol-root
profile gsmartcontrol-root @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}bin/which{,.debianutils} rix,
@{bin}/which{,.debianutils} rix,
/{usr/,}bin/pkexec rPx,
@{bin}/pkexec rPx,
include if exists <local/gsmartcontrol-root>
}

2
apparmor.d/profiles-g-l/gssproxy
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/gssproxy
@{exec_path} = @{bin}/gssproxy
profile gssproxy @{exec_path} {
include <abstractions/base>
include <abstractions/authentication>

6
apparmor.d/profiles-g-l/gtk-query-immodules
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/gtk-query-immodules-{2,3}.0
@{exec_path} = @{bin}/gtk-query-immodules-{2,3}.0
profile gtk-query-immodules @{exec_path} {
include <abstractions/base>
@ -15,8 +15,8 @@ profile gtk-query-immodules @{exec_path} {
@{exec_path} mr,
/{usr/,}lib/gtk-{2,3,4}.0/**/immodules.cache w,
/{usr/,}lib/gtk-{2,3,4}.0/**/immodules.cache.[0-9A-Z]* w,
@{lib}/gtk-{2,3,4}.0/**/immodules.cache w,
@{lib}/gtk-{2,3,4}.0/**/immodules.cache.[0-9A-Z]* w,
# Inherit silencer
deny network inet6 stream,

2
apparmor.d/profiles-g-l/gtk-update-icon-cache
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/gtk-update-icon-cache /{usr/,}bin/gtk4-update-icon-cache
@{exec_path} = @{bin}/gtk-update-icon-cache @{bin}/gtk4-update-icon-cache
profile gtk-update-icon-cache @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>

50
apparmor.d/profiles-g-l/gtk-youtube-viewer
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/gtk{,2,3}-youtube-viewer
@{exec_path} = @{bin}/gtk{,2,3}-youtube-viewer
profile gtk-youtube-viewer @{exec_path} {
include <abstractions/base>
include <abstractions/fonts>
@ -25,23 +25,23 @@ profile gtk-youtube-viewer @{exec_path} {
network netlink raw,
@{exec_path} r,
/{usr/,}bin/perl r,
@{bin}/perl r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}bin/xterm rCx -> xterm,
/{usr/,}bin/rxvt rCx -> xterm,
/{usr/,}bin/urxvt rCx -> xterm,
@{bin}/xterm rCx -> xterm,
@{bin}/rxvt rCx -> xterm,
@{bin}/urxvt rCx -> xterm,
# Players
/{usr/,}bin/mpv rPx,
/{usr/,}bin/vlc rPx,
/{usr/,}bin/smplayer rPx,
@{bin}/mpv rPx,
@{bin}/vlc rPx,
@{bin}/smplayer rPx,
/{usr/,}lib/firefox/firefox rPx,
@{lib}/firefox/firefox rPx,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open,
@{bin}/xdg-open rCx -> open,
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open,
owner @{user_config_dirs}/youtube-viewer/{,*} rw,
@ -65,14 +65,14 @@ profile gtk-youtube-viewer @{exec_path} {
signal (send) set=(hup, winch) peer=youtube-viewer,
signal (send) set=(hup, winch) peer=youtube-viewer//wget,
/{usr/,}bin/xterm mr,
/{usr/,}bin/rxvt mr,
/{usr/,}bin/urxvt mr,
@{bin}/xterm mr,
@{bin}/rxvt mr,
@{bin}/urxvt mr,
/{usr/,}bin/zsh rix,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/zsh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}bin/youtube-viewer rPx,
@{bin}/youtube-viewer rPx,
owner @{PROC}/@{pid}/loginuid r,
@ -97,20 +97,20 @@ profile gtk-youtube-viewer @{exec_path} {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
@{bin}/xdg-open mr,
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
@{lib}/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,

12
apparmor.d/profiles-g-l/gzdoom
View file

@ -27,13 +27,13 @@ profile gzdoom @{exec_path} {
@{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}bin/zsh rix,
/{usr/,}bin/uname rix,
/{usr/,}bin/xmessage rix,
/{usr/,}bin/gdb rix,
/{usr/,}bin/iconv rix,
@{bin}/zsh rix,
@{bin}/uname rix,
@{bin}/xmessage rix,
@{bin}/gdb rix,
@{bin}/iconv rix,
/opt/gzdoom/ r,
/opt/gzdoom/** mr,

90
apparmor.d/profiles-g-l/hardinfo
View file

@ -6,17 +6,17 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/hardinfo
@{exec_path} = @{bin}/hardinfo
profile hardinfo @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/nameservice-strict>
include <abstractions/user-download-strict>
include <abstractions/python>
include <abstractions/user-download-strict>
# This is needed to display some content of devices -> resources
capability sys_admin,
@ -31,36 +31,36 @@ profile hardinfo @{exec_path} {
@{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/locale rix,
/{usr/,}bin/ldd rix,
/{usr/,}bin/tr rix,
/{usr/,}bin/python2.[0-9]* rix,
/{usr/,}bin/python3.[0-9]* rix,
/{usr/,}bin/perl rix,
/{usr/,}bin/ruby[0-9].[0-9]* rix,
/{usr/,}bin/make rix,
/{usr/,}bin/strace rix,
/{usr/,}bin/gdb rix,
/{usr/,}bin/last rix,
/{usr/,}bin/iconv rix,
/{usr/,}{s,}bin/route rix,
/{usr/,}bin/valgrind{,.bin} rix,
/{usr/,}lib/@{multiarch}/valgrind/memcheck-*-linux rix,
@{bin}/{,ba,da}sh rix,
@{bin}/gdb rix,
@{bin}/iconv rix,
@{bin}/last rix,
@{bin}/ldd rix,
@{bin}/locale rix,
@{bin}/make rix,
@{bin}/perl rix,
@{bin}/python2.[0-9]* rix,
@{bin}/python3.[0-9]* rix,
@{bin}/route rix,
@{bin}/ruby[0-9].[0-9]* rix,
@{bin}/strace rix,
@{bin}/tr rix,
@{bin}/valgrind{,.bin} rix,
@{lib}/@{multiarch}/valgrind/memcheck-*-linux rix,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/ccache rCx -> ccache,
/{usr/,}bin/kmod rCx -> kmod,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/xdg-open rCx -> open,
@{bin}/ccache rCx -> ccache,
@{bin}/kmod rCx -> kmod,
/{usr/,}bin/glxinfo rPx,
/{usr/,}bin/xdpyinfo rPx,
/{usr/,}bin/lspci rPx,
/{usr/,}bin/lsusb rPx,
/{usr/,}bin/netstat rPx,
/{usr/,}bin/qtchooser rPx,
@{bin}/glxinfo rPx,
@{bin}/xdpyinfo rPx,
@{bin}/lspci rPx,
@{bin}/lsusb rPx,
@{bin}/netstat rPx,
@{bin}/qtchooser rPx,
/{usr/,}lib/jvm/java-[0-9]*-openjdk-amd64/bin/javac rCx -> javac,
@{lib}/jvm/java-[0-9]*-openjdk-amd64/bin/javac rCx -> javac,
/usr/share/hardinfo/{,**} r,
@ -112,7 +112,7 @@ profile hardinfo @{exec_path} {
owner /tmp/#[0-9]*[0-9] rw,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
@{lib}/firefox/firefox rPUx,
# Silencer
deny /usr/share/gdb/python/** w,
@ -124,11 +124,11 @@ profile hardinfo @{exec_path} {
profile ccache {
include <abstractions/base>
/{usr/,}bin/ccache mr,
@{bin}/ccache mr,
/{usr/,}lib/llvm-[0-9]*/bin/clang rix,
/{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix,
/{usr/,}bin/{,@{multiarch}-}g++-[0-9]* rix,
@{lib}/llvm-[0-9]*/bin/clang rix,
@{bin}/{,@{multiarch}-}gcc-[0-9]* rix,
@{bin}/{,@{multiarch}-}g++-[0-9]* rix,
/media/ccache/*/** rw,
@ -140,9 +140,9 @@ profile hardinfo @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
/{usr/,}lib/jvm/java-[0-9]*-openjdk-amd64/bin/* mr,
@{lib}/jvm/java-[0-9]*-openjdk-amd64/bin/* mr,
/{usr/,}lib/jvm/java-[0-9]*-openjdk-amd64/lib/** mr,
@{lib}/jvm/java-[0-9]*-openjdk-amd64/lib/** mr,
/etc/java-[0-9]*-openjdk/** r,
@ -163,19 +163,19 @@ profile hardinfo @{exec_path} {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
@{bin}/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
@{lib}/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
@ -185,7 +185,7 @@ profile hardinfo @{exec_path} {
profile kmod {
include <abstractions/base>
/{usr/,}bin/kmod mr,
@{bin}/kmod mr,
@{sys}/module/** r,

2
apparmor.d/profiles-g-l/haveged
View file

@ -9,7 +9,7 @@
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/haveged
@{exec_path} = @{bin}/haveged
profile haveged @{exec_path} {
include <abstractions/base>

2
apparmor.d/profiles-g-l/hciconfig
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/hciconfig
@{exec_path} = @{bin}/hciconfig
profile hciconfig @{exec_path} {
include <abstractions/base>

2
apparmor.d/profiles-g-l/hddtemp
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/hddtemp
@{exec_path} = @{bin}/hddtemp
profile hddtemp @{exec_path} {
include <abstractions/base>

2
apparmor.d/profiles-g-l/hdparm
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/hdparm
@{exec_path} = @{bin}/hdparm
profile hdparm @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/user-download-strict>

8
apparmor.d/profiles-g-l/hexchat
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/hexchat
@{exec_path} = @{bin}/hexchat
profile hexchat @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
@ -31,8 +31,8 @@ profile hexchat @{exec_path} {
@{exec_path} mr,
# Hexchat plugins
/{usr/,}lib/@{multiarch}/hexchat/** r,
/{usr/,}lib/@{multiarch}/hexchat/plugins/*.so mr,
@{lib}/@{multiarch}/hexchat/** r,
@{lib}/@{multiarch}/hexchat/plugins/*.so mr,
# Hexchat home files
owner @{HOME}/ r,
@ -45,7 +45,7 @@ profile hexchat @{exec_path} {
/etc/fstab r,
# External apps
/{usr/,}lib/firefox/firefox rPUx,
@{lib}/firefox/firefox rPUx,
# file_inherit
owner /dev/tty[0-9]* rw,

2
apparmor.d/profiles-g-l/hostname
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/{hostname,domainname,ypdomainname,nisdomainname,nisdomainname}
@{exec_path} = @{bin}/{hostname,domainname,ypdomainname,nisdomainname,nisdomainname}
profile hostname @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

4
apparmor.d/profiles-g-l/htop
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/htop
@{exec_path} = @{bin}/htop
profile htop @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -25,7 +25,7 @@ profile htop @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/lsof rix,
@{bin}/lsof rix,
/usr/share/terminfo/x/xterm-256color r,

2
apparmor.d/profiles-g-l/hugeadm
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/hugeadm
@{exec_path} = @{bin}/hugeadm
profile hugeadm @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>

8
apparmor.d/profiles-g-l/hugo
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/hugo
@{exec_path} = @{bin}/hugo
profile hugo @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
@ -21,9 +21,9 @@ profile hugo @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/git rix,
/{usr/,}lib/go/bin/go rix,
/{usr/,}lib/git-core/git-remote-http rix,
@{bin}/git rix,
@{lib}/go/bin/go rix,
@{lib}/git-core/git-remote-http rix,
/usr/share/git-core/{,**} r,
/usr/share/mime/{,**} r,

142
apparmor.d/profiles-g-l/hw-probe
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/hw-probe
@{exec_path} = @{bin}/hw-probe
profile hw-probe @{exec_path} {
include <abstractions/base>
include <abstractions/perl>
@ -17,72 +17,72 @@ profile hw-probe @{exec_path} {
network inet6 dgram,
@{exec_path} r,
/{usr/,}bin/perl r,
@{bin}/perl r,
/{usr/,}bin/pwd rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/sleep rix,
/{usr/,}bin/md5sum rix,
/{usr/,}bin/uname rix,
@{bin}/pwd rix,
@{bin}/{,e}grep rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{m,g,}awk rix,
@{bin}/sleep rix,
@{bin}/md5sum rix,
@{bin}/uname rix,
/{usr/,}bin/dd rix,
/{usr/,}bin/tar rix,
@{bin}/dd rix,
@{bin}/tar rix,
/{usr/,}bin/efivar rix,
/{usr/,}bin/efibootmgr rix,
@{bin}/efivar rix,
@{bin}/efibootmgr rix,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/dpkg rPx -> child-dpkg,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/dpkg rPx -> child-dpkg,
/{usr/,}{s,}bin/dkms rPx,
/{usr/,}{s,}bin/fdisk rPx,
/{usr/,}bin/upower rPx,
/{usr/,}{s,}bin/hdparm rPx,
/{usr/,}{s,}bin/smartctl rPx,
/{usr/,}bin/sensors rPx,
/{usr/,}bin/lsblk rPx,
/{usr/,}bin/dmesg rPx,
/{usr/,}bin/hciconfig rPx,
/{usr/,}bin/uptime rPx,
/{usr/,}{s,}bin/rfkill rPx,
/{usr/,}{s,}bin/biosdecode rPx,
/{usr/,}{s,}bin/dmidecode rPx,
/{usr/,}bin/edid-decode rPx,
/{usr/,}bin/cpupower rPx,
/{usr/,}bin/acpi rPx,
/{usr/,}bin/lspci rPx,
/{usr/,}bin/lscpu rPx,
/{usr/,}bin/lsusb rPx,
/{usr/,}bin/usb-devices rPx,
/{usr/,}{s,}bin/hwinfo rPx,
/{usr/,}bin/glxinfo rPx,
/{usr/,}{s,}bin/i2cdetect rPx,
/{usr/,}bin/glxgears rPx,
/{usr/,}{s,}bin/memtester rPx,
/{usr/,}bin/xrandr rPx,
/{usr/,}bin/inxi rPx,
/{usr/,}bin/aplay rPx,
/{usr/,}bin/amixer rPx,
/{usr/,}bin/xdpyinfo rPx,
/{usr/,}bin/df rPx,
/{usr/,}bin/cpuid rPx,
/{usr/,}bin/xinput rPx,
@{bin}/acpi rPx,
@{bin}/amixer rPx,
@{bin}/aplay rPx,
@{bin}/biosdecode rPx,
@{bin}/cpuid rPx,
@{bin}/cpupower rPx,
@{bin}/df rPx,
@{bin}/dkms rPx,
@{bin}/dmesg rPx,
@{bin}/dmidecode rPx,
@{bin}/edid-decode rPx,
@{bin}/fdisk rPx,
@{bin}/glxgears rPx,
@{bin}/glxinfo rPx,
@{bin}/hciconfig rPx,
@{bin}/hdparm rPx,
@{bin}/hwinfo rPx,
@{bin}/i2cdetect rPx,
@{bin}/inxi rPx,
@{bin}/lsblk rPx,
@{bin}/lscpu rPx,
@{bin}/lspci rPx,
@{bin}/lsusb rPx,
@{bin}/memtester rPx,
@{bin}/rfkill rPx,
@{bin}/sensors rPx,
@{bin}/smartctl rPx,
@{bin}/upower rPx,
@{bin}/uptime rPx,
@{bin}/usb-devices rPx,
@{bin}/xdpyinfo rPx,
@{bin}/xinput rPx,
@{bin}/xrandr rPx,
/{usr/,}bin/systemctl rPx -> child-systemctl,
@{bin}/systemctl rPx -> child-systemctl,
/{usr/,}bin/find rCx -> find,
/{usr/,}bin/journalctl rCx -> journalctl,
/{usr/,}bin/systemd-analyze rCx -> systemd-analyze,
/{usr/,}bin/killall rCx -> killall,
/{usr/,}bin/udevadm rCx -> udevadm,
/{usr/,}bin/kmod rCx -> kmod,
/{usr/,}{s,}bin/iw rCx -> netconfig,
/{usr/,}{s,}bin/ifconfig rCx -> netconfig,
/{usr/,}{s,}bin/iwconfig rCx -> netconfig,
/{usr/,}{s,}bin/ethtool rCx -> netconfig,
/{usr/,}bin/curl rCx -> curl,
@{bin}/curl rCx -> curl,
@{bin}/ethtool rCx -> netconfig,
@{bin}/find rCx -> find,
@{bin}/ifconfig rCx -> netconfig,
@{bin}/iw rCx -> netconfig,
@{bin}/iwconfig rCx -> netconfig,
@{bin}/journalctl rCx -> journalctl,
@{bin}/killall rCx -> killall,
@{bin}/kmod rCx -> kmod,
@{bin}/systemd-analyze rCx -> systemd-analyze,
@{bin}/udevadm rCx -> udevadm,
owner /root/HW_PROBE/{,**} rw,
@ -117,7 +117,7 @@ profile hw-probe @{exec_path} {
capability dac_read_search,
/{usr/,}bin/find mr,
@{bin}/find mr,
/dev/{,**} r,
@ -128,7 +128,7 @@ profile hw-probe @{exec_path} {
profile journalctl {
include <abstractions/base>
/{usr/,}bin/journalctl mr,
@{bin}/journalctl mr,
@{run}/log/ rw,
/{run,var}/log/journal/ rw,
@ -147,7 +147,7 @@ profile hw-probe @{exec_path} {
profile systemd-analyze {
include <abstractions/base>
/{usr/,}bin/systemd-analyze mr,
@{bin}/systemd-analyze mr,
owner @{PROC}/@{pid}/stat r,
@ -162,7 +162,7 @@ profile hw-probe @{exec_path} {
ptrace (read),
/{usr/,}bin/killall mr,
@{bin}/killall mr,
# The /proc/ dir is needed to avoid the following error:
# /proc: Permission denied
@ -174,7 +174,7 @@ profile hw-probe @{exec_path} {
profile udevadm {
include <abstractions/base>
/{usr/,}bin/udevadm mr,
@{bin}/udevadm mr,
/etc/udev/udev.conf r,
@ -196,7 +196,7 @@ profile hw-probe @{exec_path} {
profile kmod {
include <abstractions/base>
/{usr/,}bin/kmod mr,
@{bin}/kmod mr,
@{PROC}/cmdline r,
@{PROC}/modules r,
@ -221,10 +221,10 @@ profile hw-probe @{exec_path} {
network appletalk dgram,
network netlink raw,
/{usr/,}{s,}bin/iw mr,
/{usr/,}{s,}bin/ifconfig mr,
/{usr/,}{s,}bin/iwconfig mr,
/{usr/,}{s,}bin/ethtool mr,
@{bin}/iw mr,
@{bin}/ifconfig mr,
@{bin}/iwconfig mr,
@{bin}/ethtool mr,
owner @{PROC}/@{pid}/net/if_inet6 r,
owner @{PROC}/@{pid}/net/dev r,
@ -237,7 +237,7 @@ profile hw-probe @{exec_path} {
include <abstractions/openssl>
include <abstractions/ssl_certs>
/{usr/,}bin/curl mr,
@{bin}/curl mr,
}

14
apparmor.d/profiles-g-l/hwinfo
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/hwinfo
@{exec_path} = @{bin}/hwinfo
profile hwinfo @{exec_path} {
include <abstractions/base>
include <abstractions/disks-read>
@ -31,12 +31,12 @@ profile hwinfo @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}bin/kmod rCx -> kmod,
/{usr/,}bin/udevadm rCx -> udevadm,
@{bin}/kmod rCx -> kmod,
@{bin}/udevadm rCx -> udevadm,
/{usr/,}{s,}bin/dmraid rPUx,
@{bin}/dmraid rPUx,
@{PROC}/version r,
@{PROC}/cmdline r,
@ -77,7 +77,7 @@ profile hwinfo @{exec_path} {
profile kmod {
include <abstractions/base>
/{usr/,}bin/kmod mr,
@{bin}/kmod mr,
/etc/modprobe.d/{,*.conf} r,
@ -94,7 +94,7 @@ profile hwinfo @{exec_path} {
profile udevadm {
include <abstractions/base>
/{usr/,}bin/udevadm mr,
@{bin}/udevadm mr,
/etc/udev/udev.conf r,

40
apparmor.d/profiles-g-l/hypnotix
View file

@ -7,8 +7,8 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/hypnotix
@{exec_path} += /{usr/,}lib/hypnotix/hypnotix.py
@{exec_path} = @{bin}/hypnotix
@{exec_path} += @{lib}/hypnotix/hypnotix.py
profile hypnotix @{exec_path} {
include <abstractions/base>
include <abstractions/audio>
@ -36,17 +36,17 @@ profile hypnotix @{exec_path} {
network netlink raw,
@{exec_path} rix,
/{usr/,}bin/python3.[0-9]* r,
@{bin}/python3.[0-9]* r,
/{usr/,}{s,}bin/ldconfig rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/mkdir rix,
@{bin}/{,ba,da}sh rix,
@{bin}/ldconfig rix,
@{bin}/mkdir rix,
/{usr/,}bin/xdg-screensaver rCx -> xdg-screensaver,
@{bin}/xdg-screensaver rCx -> xdg-screensaver,
/{usr/,}bin/youtube-dl rPUx,
/{usr/,}bin/yt-dlp rPUx,
/{usr/,}lib/firefox/firefox rPx,
@{bin}/youtube-dl rPUx,
@{bin}/yt-dlp rPUx,
@{lib}/firefox/firefox rPx,
/usr/share/hypnotix/{,**} r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
@ -69,22 +69,22 @@ profile hypnotix @{exec_path} {
/dev/ r,
# Silencer
deny /{usr/,}lib/hypnotix/** w,
deny @{lib}/hypnotix/** w,
profile xdg-screensaver {
include <abstractions/base>
include <abstractions/consoles>
/{usr/,}bin/xdg-screensaver mr,
@{bin}/xdg-screensaver mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/xset rix,
/{usr/,}bin/xautolock rix,
/{usr/,}bin/dbus-send rix,
@{bin}/{,ba,da}sh rix,
@{bin}/mv rix,
@{bin}/{,e}grep rix,
@{bin}/sed rix,
@{bin}/which{,.debianutils} rix,
@{bin}/xset rix,
@{bin}/xautolock rix,
@{bin}/dbus-send rix,
owner @{HOME}/.Xauthority r,

2
apparmor.d/profiles-g-l/i2cdetect
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/i2cdetect
@{exec_path} = @{bin}/i2cdetect
profile i2cdetect @{exec_path} {
include <abstractions/base>

4
apparmor.d/profiles-g-l/i3lock
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/i3lock
@{exec_path} = @{bin}/i3lock
profile i3lock @{exec_path} {
include <abstractions/base>
include <abstractions/fonts>
@ -19,7 +19,7 @@ profile i3lock @{exec_path} {
@{exec_path} mr,
/{usr/,}sbin/unix_chkpwd rPx,
@{bin}/unix_chkpwd rPx,
owner @{HOME}/.Xauthority r,

34
apparmor.d/profiles-g-l/i3lock-fancy
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/i3lock-fancy
@{exec_path} = @{bin}/i3lock-fancy
profile i3lock-fancy @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -14,22 +14,22 @@ profile i3lock-fancy @{exec_path} {
include <abstractions/fontconfig-cache-read>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/fc-match rix,
/{usr/,}bin/getopt rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/env rix,
@{bin}/rm rix,
@{bin}/fc-match rix,
@{bin}/getopt rix,
@{bin}/mktemp rix,
@{bin}/{m,g,}awk rix,
@{bin}/basename rix,
@{bin}/env rix,
/{usr/,}bin/i3lock rPx,
/{usr/,}bin/xrandr rPx,
@{bin}/i3lock rPx,
@{bin}/xrandr rPx,
/{usr/,}bin/convert-im6.q16 rCx -> imagemagic,
/{usr/,}bin/import-im6.q16 rCx -> imagemagic,
/{usr/,}bin/scrot rCx -> imagemagic,
@{bin}/convert-im6.q16 rCx -> imagemagic,
@{bin}/import-im6.q16 rCx -> imagemagic,
@{bin}/scrot rCx -> imagemagic,
owner /tmp/tmp.*.png rw,
owner /tmp/tmp.* rw,
@ -46,9 +46,9 @@ profile i3lock-fancy @{exec_path} {
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
/{usr/,}bin/convert-im6.q16 mr,
/{usr/,}bin/import-im6.q16 mr,
/{usr/,}bin/scrot mr,
@{bin}/convert-im6.q16 mr,
@{bin}/import-im6.q16 mr,
@{bin}/scrot mr,
/usr/share/ImageMagick-[0-9]/*.xml r,
/etc/ImageMagick-[0-9]/*.xml r,

2
apparmor.d/profiles-g-l/id
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/id
@{exec_path} = @{bin}/id
profile id @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/profiles-g-l/ifconfig
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/ifconfig
@{exec_path} = @{bin}/ifconfig
profile ifconfig @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

34
apparmor.d/profiles-g-l/ifup
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/{ifup,ifdown,ifquery}
@{exec_path} = @{bin}/{ifup,ifdown,ifquery}
profile ifup @{exec_path} {
include <abstractions/base>
@ -18,21 +18,21 @@ profile ifup @{exec_path} {
@{exec_path} mr,
/{usr/,}{s,}bin/route rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/ip rix,
/{usr/,}bin/seq rix,
/{usr/,}bin/sleep rix,
/{usr/,}bin/wc rix,
@{bin}/{,ba,da}sh rix,
@{bin}/ip rix,
@{bin}/route rix,
@{bin}/seq rix,
@{bin}/sleep rix,
@{bin}/wc rix,
/{usr/,}{s,}bin/dhclient rPx,
/{usr/,}bin/macchanger rPx,
@{bin}/dhclient rPx,
@{bin}/macchanger rPx,
/{usr/,}lib/ifupdown/*.sh rix,
@{lib}/ifupdown/*.sh rix,
/{usr/,}bin/run-parts rCx -> run-parts,
/{usr/,}bin/kmod rCx -> kmod,
/{usr/,}{s,}bin/sysctl rCx -> sysctl,
@{bin}/run-parts rCx -> run-parts,
@{bin}/kmod rCx -> kmod,
@{bin}/sysctl rCx -> sysctl,
/etc/network/interfaces r,
/etc/network/interfaces.d/{,*} r,
@ -50,9 +50,9 @@ profile ifup @{exec_path} {
profile run-parts {
include <abstractions/base>
/{usr/,}bin/run-parts mr,
@{bin}/run-parts mr,
/{usr/,}lib/bridge-utils/ifupdown.sh rPUx,
@{lib}/bridge-utils/ifupdown.sh rPUx,
/etc/network/if-down.d/ r,
/etc/network/if-down.d/resolvconf rPUx,
@ -95,7 +95,7 @@ profile ifup @{exec_path} {
profile kmod {
include <abstractions/base>
/{usr/,}bin/kmod mr,
@{bin}/kmod mr,
@{sys}/module/** r,
@ -115,7 +115,7 @@ profile ifup @{exec_path} {
capability sys_admin,
# capability sys_resource,
/{usr/,}{s,}bin/sysctl mr,
@{bin}/sysctl mr,
@{PROC}/sys/ r,
@{PROC}/sys/** r,

18
apparmor.d/profiles-g-l/im-launch
View file

@ -6,20 +6,20 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/im-launch
@{exec_path} = @{bin}/im-launch
profile im-launch @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gnome-session rix,
/{usr/,}bin/env rix,
/{usr/,}bin/locale rix,
/{usr/,}bin/gettext{,.sh} rix,
/{usr/,}bin/true rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/dpkg-query rpx,
@{bin}/{,ba,da}sh rix,
@{bin}/gnome-session rix,
@{bin}/env rix,
@{bin}/locale rix,
@{bin}/gettext{,.sh} rix,
@{bin}/true rix,
@{bin}/sed rix,
@{bin}/dpkg-query rpx,
/usr/share/im-config/{,**} r,

22
apparmor.d/profiles-g-l/initd-kexec
View file

@ -11,17 +11,17 @@ profile initd-kexec @{exec_path} {
include <abstractions/base>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/tput rix,
/{usr/,}bin/echo rix,
@{bin}/cat rix,
@{bin}/readlink rix,
@{bin}/tput rix,
@{bin}/echo rix,
/{usr/,}{s,}bin/kexec rPx,
@{bin}/kexec rPx,
/{usr/,}bin/run-parts rCx -> run-parts,
/{usr/,}bin/systemctl rCx -> systemctl,
@{bin}/run-parts rCx -> run-parts,
@{bin}/systemctl rCx -> systemctl,
/etc/default/kexec r,
@ -30,7 +30,7 @@ profile initd-kexec @{exec_path} {
profile run-parts {
include <abstractions/base>
/{usr/,}bin/run-parts mr,
@{bin}/run-parts mr,
/etc/default/kexec.d/ r,
@ -43,9 +43,9 @@ profile initd-kexec @{exec_path} {
ptrace (read),
/{usr/,}bin/systemctl mr,
@{bin}/systemctl mr,
/{usr/,}bin/systemd-tty-ask-password-agent rix,
@{bin}/systemd-tty-ask-password-agent rix,
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/fd/ r,

34
apparmor.d/profiles-g-l/initd-kexec-load
View file

@ -11,23 +11,23 @@ profile initd-kexec-load @{exec_path} {
include <abstractions/base>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/tail rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/head rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/tput rix,
@{bin}/{,e}grep rix,
@{bin}/cat rix,
@{bin}/{m,g,}awk rix,
@{bin}/cut rix,
@{bin}/tail rix,
@{bin}/sed rix,
@{bin}/head rix,
@{bin}/rm rix,
@{bin}/readlink rix,
@{bin}/tput rix,
/{usr/,}{s,}bin/kexec rPx,
@{bin}/kexec rPx,
/{usr/,}bin/run-parts rCx -> run-parts,
/{usr/,}bin/systemctl rCx -> systemctl,
@{bin}/run-parts rCx -> run-parts,
@{bin}/systemctl rCx -> systemctl,
/no-kexec-reboot rw,
@ -43,7 +43,7 @@ profile initd-kexec-load @{exec_path} {
profile run-parts {
include <abstractions/base>
/{usr/,}bin/run-parts mr,
@{bin}/run-parts mr,
/etc/default/kexec.d/ r,
@ -57,9 +57,9 @@ profile initd-kexec-load @{exec_path} {
ptrace (read),
/{usr/,}bin/systemctl mr,
@{bin}/systemctl mr,
/{usr/,}bin/systemd-tty-ask-password-agent rix,
@{bin}/systemd-tty-ask-password-agent rix,
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/fd/ r,

24
apparmor.d/profiles-g-l/initd-kmod
View file

@ -11,18 +11,18 @@ profile initd-kmod @{exec_path} {
include <abstractions/base>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/tput rix,
/{usr/,}bin/id rix,
/{usr/,}bin/echo rix,
/{usr/,}bin/{,e}grep rix,
@{bin}/readlink rix,
@{bin}/tput rix,
@{bin}/id rix,
@{bin}/echo rix,
@{bin}/{,e}grep rix,
/{usr/,}bin/kmod rPx,
@{bin}/kmod rPx,
/{usr/,}bin/run-parts rCx -> run-parts,
/{usr/,}bin/systemctl rCx -> systemctl,
@{bin}/run-parts rCx -> run-parts,
@{bin}/systemctl rCx -> systemctl,
/etc/modules-load.d/*.conf r,
/etc/modules r,
@ -31,7 +31,7 @@ profile initd-kmod @{exec_path} {
profile run-parts {
include <abstractions/base>
/{usr/,}bin/run-parts mr,
@{bin}/run-parts mr,
/etc/modules-load.d/ r,
@ -44,9 +44,9 @@ profile initd-kmod @{exec_path} {
ptrace (read),
/{usr/,}bin/systemctl mr,
@{bin}/systemctl mr,
/{usr/,}bin/systemd-tty-ask-password-agent rix,
@{bin}/systemd-tty-ask-password-agent rix,
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/fd/ r,

14
apparmor.d/profiles-g-l/install-catalog
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/install-catalog
@{exec_path} = @{bin}/install-catalog
profile install-catalog @{exec_path} {
include <abstractions/base>
@ -14,12 +14,12 @@ profile install-catalog @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/{,ba}sh rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/grep rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/sed rix,
@{bin}/{,ba}sh rix,
@{bin}/basename rix,
@{bin}/grep rix,
@{bin}/mv rix,
@{bin}/rm rix,
@{bin}/sed rix,
/etc/sgml/catalog{,.new} rw,
/etc/sgml/sgml-docbook.cat{,.new} rw,

6
apparmor.d/profiles-g-l/install-info
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/install-info
@{exec_path} = @{bin}/install-info
profile install-info @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -15,8 +15,8 @@ profile install-info @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gzip rix,
@{bin}/{,ba,da}sh rix,
@{bin}/gzip rix,
/usr/share/info/{,**} r,
/usr/share/info/dir rw,

6
apparmor.d/profiles-g-l/install-printerdriver
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/install-printerdriver
@{exec_path} = @{bin}/install-printerdriver
@{exec_path} += /usr/share/system-config-printer/install-printerdriver.py
profile install-printerdriver @{exec_path} flags=(complain) {
include <abstractions/base>
@ -14,8 +14,8 @@ profile install-printerdriver @{exec_path} flags=(complain) {
@{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/python3.[0-9]* r,
@{bin}/{,ba,da}sh rix,
@{bin}/python3.[0-9]* r,
/usr/share/system-config-printer/{,**} r,

84
apparmor.d/profiles-g-l/inxi
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/inxi
@{exec_path} = @{bin}/inxi
profile inxi @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
@ -20,52 +20,52 @@ profile inxi @{exec_path} {
network netlink raw,
@{exec_path} r,
/{usr/,}bin/perl r,
@{bin}/perl r,
/{usr/,}bin/ r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/zsh rix,
/{usr/,}bin/tty rix,
/{usr/,}bin/tput rix,
/{usr/,}bin/getconf rix,
/{usr/,}bin/file rix,
@{bin}/ r,
@{bin}/{,ba,da}sh rix,
@{bin}/zsh rix,
@{bin}/tty rix,
@{bin}/tput rix,
@{bin}/getconf rix,
@{bin}/file rix,
/{usr/,}lib/llvm-[0-9]*/bin/clang rix,
/{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix,
@{lib}/llvm-[0-9]*/bin/clang rix,
@{bin}/{,@{multiarch}-}gcc-[0-9]* rix,
/{usr/,}bin/ip rCx -> ip,
/{usr/,}lib/systemd/systemd rCx -> systemd,
/{usr/,}bin/kmod rCx -> kmod,
/{usr/,}bin/udevadm rCx -> udevadm,
@{bin}/ip rCx -> ip,
@{lib}/systemd/systemd rCx -> systemd,
@{bin}/kmod rCx -> kmod,
@{bin}/udevadm rCx -> udevadm,
/{usr/,}bin/systemctl rPx -> child-systemctl,
@{bin}/systemctl rPx -> child-systemctl,
# Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored.
/{usr/,}bin/dpkg-query rpx,
@{bin}/dpkg-query rpx,
/{usr/,}bin/compton rPx,
/{usr/,}bin/xrandr rPx,
/{usr/,}bin/glxinfo rPx,
/{usr/,}bin/lspci rPx,
/{usr/,}bin/lsusb rPx,
/{usr/,}bin/lsblk rPx,
/{usr/,}bin/sensors rPx,
/{usr/,}bin/uptime rPx,
/{usr/,}{s,}bin/dmidecode rPx,
/{usr/,}bin/xdpyinfo rPx,
/{usr/,}bin/who rPx,
/{usr/,}bin/xprop rPx,
/{usr/,}bin/df rPx,
/{usr/,}{s,}bin/blockdev rPx,
/{usr/,}bin/dig rPx,
/{usr/,}bin/ps rPx,
/{usr/,}bin/sudo rPx,
/{usr/,}bin/openbox rPx,
/{usr/,}bin/xset rPx,
/{usr/,}{s,}bin/smartctl rPx,
/{usr/,}{s,}bin/hddtemp rPx,
@{bin}/blockdev rPx,
@{bin}/compton rPx,
@{bin}/df rPx,
@{bin}/dig rPx,
@{bin}/dmidecode rPx,
@{bin}/glxinfo rPx,
@{bin}/hddtemp rPx,
@{bin}/lsblk rPx,
@{bin}/lspci rPx,
@{bin}/lsusb rPx,
@{bin}/openbox rPx,
@{bin}/ps rPx,
@{bin}/sensors rPx,
@{bin}/smartctl rPx,
@{bin}/sudo rPx,
@{bin}/uptime rPx,
@{bin}/who rPx,
@{bin}/xdpyinfo rPx,
@{bin}/xprop rPx,
@{bin}/xrandr rPx,
@{bin}/xset rPx,
/etc/ r,
/etc/inxi.conf r,
@ -118,7 +118,7 @@ profile inxi @{exec_path} {
network netlink raw,
/{usr/,}bin/ip mr,
@{bin}/ip mr,
@{sys}/devices/pci[0-9]*/**/net/*/{duplex,address,speed,operstate} r,
@ -129,7 +129,7 @@ profile inxi @{exec_path} {
profile systemd {
include <abstractions/base>
/{usr/,}lib/systemd/systemd mr,
@{lib}/systemd/systemd mr,
/etc/systemd/user.conf r,
@ -143,7 +143,7 @@ profile inxi @{exec_path} {
profile udevadm {
include <abstractions/base>
/{usr/,}bin/udevadm mr,
@{bin}/udevadm mr,
/etc/udev/udev.conf r,
@ -161,7 +161,7 @@ profile inxi @{exec_path} {
profile kmod {
include <abstractions/base>
/{usr/,}bin/kmod mr,
@{bin}/kmod mr,
@{PROC}/cmdline r,
@{PROC}/modules r,

2
apparmor.d/profiles-g-l/ioping
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/ioping
@{exec_path} = @{bin}/ioping
profile ioping @{exec_path} {
include <abstractions/base>
include <abstractions/disks-read>

8
apparmor.d/profiles-g-l/iotop
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/iotop
@{exec_path} = @{bin}/iotop
profile iotop @{exec_path} {
include <abstractions/base>
include <abstractions/python>
@ -19,11 +19,11 @@ profile iotop @{exec_path} {
capability sys_nice,
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* r,
@{bin}/python3.[0-9]* r,
/{usr/,}bin/file rix,
@{bin}/file rix,
/{usr/,}{s,}bin/ r,
@{bin}/ r,
@{PROC}/ r,
@{PROC}/vmstat r,

2
apparmor.d/profiles-g-l/ip
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/ip
@{exec_path} = @{bin}/ip
profile ip @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>

4
apparmor.d/profiles-g-l/ipcalc
View file

@ -6,13 +6,13 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/ipcalc
@{exec_path} = @{bin}/ipcalc
profile ipcalc @{exec_path} {
include <abstractions/base>
include <abstractions/perl>
@{exec_path} r,
/{usr/,}bin/perl r,
@{bin}/perl r,
include if exists <local/ipcalc>
}

2
apparmor.d/profiles-g-l/irqbalance
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/irqbalance
@{exec_path} = @{bin}/irqbalance
profile irqbalance @{exec_path} {
include <abstractions/base>

2
apparmor.d/profiles-g-l/iw
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/iw
@{exec_path} = @{bin}/iw
profile iw @{exec_path} {
include <abstractions/base>

2
apparmor.d/profiles-g-l/iwconfig
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/iwconfig
@{exec_path} = @{bin}/iwconfig
profile iwconfig @{exec_path} {
include <abstractions/base>

2
apparmor.d/profiles-g-l/iwlist
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/iwlist
@{exec_path} = @{bin}/iwlist
profile iwlist @{exec_path} {
include <abstractions/base>

6
apparmor.d/profiles-g-l/jami-gnome
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/jami-gnome
@{exec_path} = @{bin}/jami-gnome
profile jami-gnome @{exec_path} {
include <abstractions/base>
include <abstractions/dconf-write>
@ -38,8 +38,8 @@ profile jami-gnome @{exec_path} {
owner @{HOME}/.local/share/webkitgtk/databases/indexeddb/v0 w,
owner @{HOME}/.local/share/webkitgtk/databases/indexeddb/v1/ w,
/{usr/,}lib/@{multiarch}/webkit2gtk-4.0/WebKitNetworkProcess rix,
/{usr/,}lib/@{multiarch}/webkit2gtk-4.0/WebKitWebProcess rix,
@{lib}/@{multiarch}/webkit2gtk-4.0/WebKitNetworkProcess rix,
@{lib}/@{multiarch}/webkit2gtk-4.0/WebKitWebProcess rix,
/usr/share/ring/{,**} r,
/usr/share/sounds/jami-gnome/{,**} r,

52
apparmor.d/profiles-g-l/jdownloader
View file

@ -20,24 +20,24 @@ profile jdownloader @{exec_path} {
@{exec_path} rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/expr rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/ls rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/find rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/chmod rix,
@{bin}/basename rix,
@{bin}/dirname rix,
@{bin}/expr rix,
@{bin}/cut rix,
@{bin}/ls rix,
@{bin}/{,e}grep rix,
@{bin}/find rix,
@{bin}/sed rix,
@{bin}/chmod rix,
/{usr/,}bin/ffmpeg rPx,
@{bin}/ffmpeg rPx,
# These are needed when the above tools are in some nonstandard locations
#/{usr/,}bin/which{,.debianutils} rix,
#@{bin}/which{,.debianutils} rix,
#/usr/ r,
#/usr/local/ r,
#/{usr/,}bin/ r,
#/{usr/,}lib/ r,
#@{bin}/ r,
#@{lib}/ r,
deny /opt/ r,
@ -86,35 +86,35 @@ profile jdownloader @{exec_path} {
deny @{PROC}/asound/version r,
# For Reconnect -> Share Settings/Get Route
#/{usr/,}bin/netstat rix,
#/{usr/,}{s,}bin/route rix,
#/{usr/,}bin/ping rix,
#/{usr/,}bin/ip rix,
#@{bin}/netstat rix,
#@{bin}/route rix,
#@{bin}/ping rix,
#@{bin}/ip rix,
#@{PROC}/@{pid}/net/route r,
# To open a web browser for CAPTCHA
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open,
@{bin}/xdg-open rCx -> open,
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
@{bin}/xdg-open mr,
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
@{lib}/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,

10
apparmor.d/profiles-g-l/jekyll
View file

@ -7,18 +7,18 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/jekyll
@{exec_path} = @{bin}/jekyll
profile jekyll @{exec_path} {
include <abstractions/base>
include <abstractions/ruby>
include <abstractions/nameservice-strict>
@{exec_path} r,
/{usr/,}bin/ruby[0-9].[0-9]* rix,
@{bin}/ruby[0-9].[0-9]* rix,
/{usr/,}lib/ruby/gems/*/specifications/ r,
/{usr/,}lib/ruby/gems/*/specifications/** r,
/{usr/,}lib/ruby/gems/*/specifications/**.gemspec rwk,
@{lib}/ruby/gems/*/specifications/ r,
@{lib}/ruby/gems/*/specifications/** r,
@{lib}/ruby/gems/*/specifications/**.gemspec rwk,
/usr/share/rubygems-integration/*/specifications/ r,
/usr/share/rubygems-integration/*/specifications/*.gemspec rwk,

16
apparmor.d/profiles-g-l/jgmenu
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/jgmenu{,_run}
@{exec_path} = @{bin}/jgmenu{,_run}
profile jgmenu @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -19,14 +19,14 @@ profile jgmenu @{exec_path} {
@{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/zsh rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/find rix,
/{usr/,}bin/wc rix,
/{usr/,}bin/cat rix,
@{bin}/{,ba,da}sh rix,
@{bin}/zsh rix,
@{bin}/mkdir rix,
@{bin}/find rix,
@{bin}/wc rix,
@{bin}/cat rix,
/{usr/,}lib/jgmenu/jgmenu-* rix,
@{lib}/jgmenu/jgmenu-* rix,
owner @{HOME}/ r,
owner @{HOME}/.jgmenu-lockfile rwk,

6
apparmor.d/profiles-g-l/jmtpfs
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/jmtpfs
@{exec_path} = @{bin}/jmtpfs
profile jmtpfs @{exec_path} {
include <abstractions/base>
include <abstractions/devices-usb>
@ -15,7 +15,7 @@ profile jmtpfs @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/fusermount{,3} rCx -> fusermount,
@{bin}/fusermount{,3} rCx -> fusermount,
owner /tmp/tmp* rw,
owner /tmp/#[0-9]* rw,
@ -45,7 +45,7 @@ profile jmtpfs @{exec_path} {
#
capability dac_read_search,
/{usr/,}bin/fusermount{,3} mr,
@{bin}/fusermount{,3} mr,
mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/*/,
mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/*/*/,

50
apparmor.d/profiles-g-l/kanyremote
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/kanyremote
@{exec_path} = @{bin}/kanyremote
profile kanyremote @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -27,34 +27,34 @@ profile kanyremote @{exec_path} {
network inet6 stream,
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}bin/ r,
/{usr/,}bin/rm rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/id rix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/tr rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/head rix,
/{usr/,}bin/find rix,
@{bin}/ r,
@{bin}/rm rix,
@{bin}/{,e}grep rix,
@{bin}/cut rix,
@{bin}/id rix,
@{bin}/which{,.debianutils} rix,
@{bin}/tr rix,
@{bin}/{m,g,}awk rix,
@{bin}/head rix,
@{bin}/find rix,
/{usr/,}bin/anyremote rPx,
/{usr/,}bin/ps rPx,
@{bin}/anyremote rPx,
@{bin}/ps rPx,
/{usr/,}bin/killall rCx -> killall,
/{usr/,}bin/pgrep rCx -> pgrep,
@{bin}/killall rCx -> killall,
@{bin}/pgrep rCx -> pgrep,
/{usr/,}bin/pacmd rPUx,
/{usr/,}bin/pactl rPUx,
@{bin}/pacmd rPUx,
@{bin}/pactl rPUx,
# Players
/{usr/,}bin/smplayer rPUx,
/{usr/,}bin/amarok rPUx,
/{usr/,}bin/vlc rPUx,
/{usr/,}bin/mpv rPUx,
/{usr/,}bin/strawberry rPUx,
@{bin}/smplayer rPUx,
@{bin}/amarok rPUx,
@{bin}/vlc rPUx,
@{bin}/mpv rPUx,
@{bin}/strawberry rPUx,
owner @{HOME}/ r,
owner @{HOME}/.anyRemote/{,*} rw,
@ -91,7 +91,7 @@ profile kanyremote @{exec_path} {
ptrace (read),
/{usr/,}bin/killall mr,
@{bin}/killall mr,
# The /proc/ dir is needed to avoid the following error:
# /proc: Permission denied
@ -104,7 +104,7 @@ profile kanyremote @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
/{usr/,}bin/pgrep mr,
@{bin}/pgrep mr,
# The /proc/ dir and the cmdline file have to be radable to avoid pgrep segfault.
@{PROC}/ r,

4
apparmor.d/profiles-g-l/kcheckpass
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/@{multiarch}/libexec/kcheckpass
@{exec_path} = @{lib}/@{multiarch}/libexec/kcheckpass
profile kcheckpass @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
@ -17,7 +17,7 @@ profile kcheckpass @{exec_path} {
@{exec_path} mr,
/{usr/,}{s,}bin/unix_chkpwd rPx,
@{bin}/unix_chkpwd rPx,
# file_inherit
owner @{HOME}/.xsession-errors w,

6
apparmor.d/profiles-g-l/kconfig-hardened-check
View file

@ -6,15 +6,15 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/kconfig-hardened-check
@{exec_path} = @{bin}/kconfig-hardened-check
profile kconfig-hardened-check @{exec_path} {
include <abstractions/base>
include <abstractions/python>
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* r,
@{bin}/python3.[0-9]* r,
/{usr/,}bin/ r,
@{bin}/ r,
# The usual kernel config locations

8
apparmor.d/profiles-g-l/keepassxc
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/keepassxc
@{exec_path} = @{bin}/keepassxc
profile keepassxc @{exec_path} {
include <abstractions/base>
include <abstractions/dconf-write>
@ -39,9 +39,9 @@ profile keepassxc @{exec_path} {
@{exec_path} mrix,
# Allowed apps to open
/{usr/,}bin/geany rPUx,
/{usr/,}bin/xdg-open rCx -> child-open,
/{usr/,}lib/firefox/firefox rPx,
@{bin}/geany rPUx,
@{bin}/xdg-open rCx -> child-open,
@{lib}/firefox/firefox rPx,
/usr/share/hwdata/pnp.ids r,
/usr/share/keepassxc/{,**} r,

2
apparmor.d/profiles-g-l/keepassxc-cli
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/keepassxc-cli
@{exec_path} = @{bin}/keepassxc-cli
profile keepassxc-cli @{exec_path} {
include <abstractions/base>

2
apparmor.d/profiles-g-l/keepassxc-proxy
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/keepassxc-proxy
@{exec_path} = @{bin}/keepassxc-proxy
profile keepassxc-proxy @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

32
apparmor.d/profiles-g-l/kernel-install
View file

@ -6,28 +6,28 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/kernel-install
@{exec_path} = @{bin}/kernel-install
profile kernel-install @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}bin/mountpoint rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/chown rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/basename rix,
@{bin}/mountpoint rix,
@{bin}/sort rix,
@{bin}/rm rix,
@{bin}/mkdir rix,
@{bin}/cp rix,
@{bin}/chown rix,
@{bin}/chmod rix,
@{bin}/basename rix,
/{usr/,}bin/kmod rCx -> kmod,
@{bin}/kmod rCx -> kmod,
/{usr/,}lib/kernel/install.d/ r,
/{usr/,}lib/kernel/install.d/[0-9][0-9]-*.install rix,
@{lib}/kernel/install.d/ r,
@{lib}/kernel/install.d/[0-9][0-9]-*.install rix,
/etc/kernel/install.d/ r,
/etc/kernel/install.d/*.install rix,
@ -41,10 +41,10 @@ profile kernel-install @{exec_path} {
owner /boot/loader/entries/ rw,
owner /boot/loader/entries/*.conf w,
/{usr/,}lib/modules/*/modules.* w,
@{lib}/modules/*/modules.* w,
/etc/os-release r,
/{usr/,}lib/os-release r,
@{lib}/os-release r,
/etc/kernel/tries r,
@ -58,7 +58,7 @@ profile kernel-install @{exec_path} {
profile kmod flags=(complain) {
include <abstractions/base>
/{usr/,}bin/kmod mr,
@{bin}/kmod mr,
}

2
apparmor.d/profiles-g-l/kerneloops
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/kerneloops
@{exec_path} = @{bin}/kerneloops
profile kerneloops @{exec_path} {
include <abstractions/base>
include <abstractions/dbus-strict>

2
apparmor.d/profiles-g-l/kerneloops-applet
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/kerneloops-applet
@{exec_path} = @{bin}/kerneloops-applet
profile kerneloops-applet @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>

2
apparmor.d/profiles-g-l/kexec
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/kexec
@{exec_path} = @{bin}/kexec
profile kexec @{exec_path} flags=(complain) {
include <abstractions/base>

20
apparmor.d/profiles-g-l/kmod
View file

@ -7,8 +7,8 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/{kmod,lsmod}
@{exec_path} += /{usr/,}{s,}bin/{depmod,insmod,lsmod,rmmod,modinfo,modprobe}
@{exec_path} = @{bin}/{kmod,lsmod}
@{exec_path} += @{bin}/{depmod,insmod,lsmod,rmmod,modinfo,modprobe}
profile kmod @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
@ -25,15 +25,15 @@ profile kmod @{exec_path} flags=(attach_disconnected) {
@{exec_path} mrix,
/{usr/,}{s,}bin/sysctl rPx,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/false rix,
/{usr/,}bin/id rix,
/{usr/,}bin/true rix,
@{bin}/{,ba,da}sh rix,
@{bin}/basename rix,
@{bin}/false rix,
@{bin}/id rix,
@{bin}/sysctl rPx,
@{bin}/true rix,
/{usr/,}lib/modprobe.d/{,*.conf} r,
/{usr/,}lib/modules/*/modules.* rw,
@{lib}/modprobe.d/{,*.conf} r,
@{lib}/modules/*/modules.* rw,
/etc/depmod.d/{,**} r,
/etc/modprobe.d/{,*.conf} r,

32
apparmor.d/profiles-g-l/kodi
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/kodi /{usr/,}lib/@{multiarch}/kodi/kodi.bin
@{exec_path} = @{bin}/kodi @{lib}/@{multiarch}/kodi/kodi.bin
profile kodi @{exec_path} {
include <abstractions/base>
include <abstractions/X>
@ -20,22 +20,22 @@ profile kodi @{exec_path} {
@{exec_path} mr,
/{usr/,}lib/@{multiarch}/kodi/kodi.bin mrix,
/{usr/,}lib/@{multiarch}/kodi/kodi-xrandr rPx,
@{lib}/@{multiarch}/kodi/kodi.bin mrix,
@{lib}/@{multiarch}/kodi/kodi-xrandr rPx,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/find rix,
/{usr/,}bin/date rix,
/{usr/,}bin/uname rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/dirname rix,
/{usr/,}{s,}bin/ldconfig rix,
@{bin}/{,ba,da}sh rix,
@{bin}/basename rix,
@{bin}/cat rix,
@{bin}/cut rix,
@{bin}/date rix,
@{bin}/dirname rix,
@{bin}/find rix,
@{bin}/ldconfig rix,
@{bin}/mv rix,
@{bin}/uname rix,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/df rCx -> df,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/df rCx -> df,
/usr/share/kodi/{,**} r,
@ -77,7 +77,7 @@ profile kodi @{exec_path} {
profile df {
include <abstractions/base>
/{usr/,}bin/df mr,
@{bin}/df mr,
owner @{PROC}/@{pid}/mountinfo r,

2
apparmor.d/profiles-g-l/kodi-xrandr
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/@{multiarch}/kodi/kodi-xrandr
@{exec_path} = @{lib}/@{multiarch}/kodi/kodi-xrandr
profile kodi-xrandr @{exec_path} {
include <abstractions/base>

20
apparmor.d/profiles-g-l/kvm-ok
View file

@ -6,20 +6,20 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/kvm-ok
@{exec_path} = @{bin}/kvm-ok
profile kvm-ok @{exec_path} {
include <abstractions/base>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}bin/uname rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/id rix,
@{bin}/uname rix,
@{bin}/{,e}grep rix,
@{bin}/id rix,
/{usr/,}bin/kmod rCx -> kmod,
@{bin}/kmod rCx -> kmod,
/{usr/,}{s,}bin/rdmsr rPx,
@{bin}/rdmsr rPx,
#/proc/cpuinfo r,
#/dev/kvm r,
@ -32,12 +32,12 @@ profile kvm-ok @{exec_path} {
profile kmod {
include <abstractions/base>
/{usr/,}bin/kmod mr,
@{bin}/kmod mr,
/etc/modprobe.d/ r,
/etc/modprobe.d/*.conf r,
/{usr/,}lib/modprobe.d/ r,
/{usr/,}lib/modprobe.d/*.conf r,
@{lib}/modprobe.d/ r,
@{lib}/modprobe.d/*.conf r,
@{PROC}/cmdline r,

7
apparmor.d/profiles-g-l/labwc
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/labwc
@{exec_path} = @{bin}/labwc
profile labwc @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
@ -26,9 +26,8 @@ profile labwc @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
# Apps allowed to run
/{usr/,}{s,}bin/* rPUx,
/{usr/,}bin/* rPUx,
@{libexec}/* rPUx,
@{bin}/* rPUx,
@{lib}/* rPUx,
/usr/share/libinput/ r,
/usr/share/libinput/*.quirks r,

4
apparmor.d/profiles-g-l/landscape-sysinfo
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/landscape-sysinfo
@{exec_path} = @{bin}/landscape-sysinfo
profile landscape-sysinfo @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
@ -25,7 +25,7 @@ profile landscape-sysinfo @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/who rix,
@{bin}/who rix,
/var/log/landscape/{,**} rw,

16
apparmor.d/profiles-g-l/landscape-sysinfo.wrapper
View file

@ -12,14 +12,14 @@ profile landscape-sysinfo.wrapper @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/bc rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/date rix,
/{usr/,}bin/find rix,
/{usr/,}bin/grep rix,
/{usr/,}bin/landscape-sysinfo rPx,
@{bin}/{,ba,da}sh rix,
@{bin}/bc rix,
@{bin}/cat rix,
@{bin}/cut rix,
@{bin}/date rix,
@{bin}/find rix,
@{bin}/grep rix,
@{bin}/landscape-sysinfo rPx,
/ r,
/etc/default/locale r,

6
apparmor.d/profiles-g-l/language-validate
View file

@ -14,9 +14,9 @@ profile language-validate @{exec_path} {
@{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/grep rix,
/{usr/,}bin/locale rix,
@{bin}/{,ba,da}sh rix,
@{bin}/grep rix,
@{bin}/locale rix,
/usr/share/locale-langpack/{,*} r,
/usr/share/language-tools/{,*} r,

2
apparmor.d/profiles-g-l/last
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/last{,b}
@{exec_path} = @{bin}/last{,b}
profile last @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/profiles-g-l/lastlog
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/lastlog
@{exec_path} = @{bin}/lastlog
profile lastlog @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/profiles-g-l/light
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/light
@{exec_path} = @{bin}/light
profile light @{exec_path} {
include <abstractions/base>

2
apparmor.d/profiles-g-l/light-locker
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/light-locker
@{exec_path} = @{bin}/light-locker
profile light-locker @{exec_path} {
include <abstractions/base>
include <abstractions/dconf-write>

2
apparmor.d/profiles-g-l/light-locker-command
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/light-locker-command
@{exec_path} = @{bin}/light-locker-command
profile light-locker-command @{exec_path} {
include <abstractions/base>

16
apparmor.d/profiles-g-l/lightdm
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/lightdm
@{exec_path} = @{bin}/lightdm
profile lightdm @{exec_path} {
include <abstractions/base>
include <abstractions/X>
@ -64,16 +64,16 @@ profile lightdm @{exec_path} {
@{exec_path} mrix,
/{usr/,}bin/plymouth mrix,
@{bin}/plymouth mrix,
/{usr/,}bin/Xorg rPx,
/{usr/,}{s,}bin/lightdm-gtk-greeter rPx,
/{usr/,}bin/startx rPx,
@{bin}/lightdm-gtk-greeter rPx,
@{bin}/startx rPx,
@{bin}/Xorg rPx,
/etc/X11/Xsession rPUx,
/{usr/,}bin/gnome-keyring-daemon rPUx,
@{bin}/gnome-keyring-daemon rPUx,
/{usr/,}bin/rm rix,
@{bin}/rm rix,
# LightDM files
/usr/share/lightdm/{,**} r,
@ -116,7 +116,7 @@ profile lightdm @{exec_path} {
owner @{HOME}/.dmrc* rw,
/var/cache/lightdm/dmrc/*.dmrc* rw,
@{libexec}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx,
@{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx,
include if exists <local/lightdm>
}

Some files were not shown because too many files have changed in this diff Show more